Collection #1: a data trove of over 2.6 billion rows of stolen passwords and email addresses has been discovered on a hacker forum, sparking new concerns over the damage that data breaches can cause.
Australian cybersecurity expert and Microsoft staffer Troy Hunt was tipped off about the data collection and when he went to investigate he found 772,904,991 unique email addresses publicly displayed.
The collection totaled more than 12,000 separate files amassing 87GB of data and contained 21,222,975 unique passwords.
Mr Hunt wrote a blog post on his website exposing the stolen data breach, one in which he too states he was a victim: “My own personal data is in there and it’s accurate; right email address and a password I used many years ago.”
The breach has been named Collection #1 after the title the hackers gave the root folder. It appears that this collection is not the result of one breach, but consists of many breaches from an array of sources.
Data in Collection #1 is DeHashed
Most worryingly is that data contained in the files is not encrypted or ‘hashed’, Mr Hunt notes that: “The data contains “dehashed” passwords which have been cracked and converted back to plain text.” This means that anyone access the files can easily read the data and use it in conjunction with malicious activities.
The main concern is that a threat actor will use the data in a credit stuffing attack. This occurs when an automated process is used to test the stolen password and email combination on an array of websites to see which are still valid giving the hacker access to the account on those sites.
An automated bot can test millions of combinations on thousands of sites. Credit stuffing attacks should be a key concern for anyone who erroneously uses the same password and email combination across multiple accounts, in that scenario the breach of one is the breach of all.
Trevor Reschke Head of Threat Intelligence at Trusted Knight told Computer Business Review in an emailed statement that: “Credentials for an email account may be some of the most valuable there are. The reason for this is that many people reuse their passwords on multiple accounts – and the email account likely has emails in it identifying all the person’s accounts: shopping, banking, investing, telephone, etc.”
“The email account is also almost always the method used to communicate with the customer, even resetting passwords. This is why email credentials have a large, more complete threat to user account loss than any other.”
Have You Been Affected?
Troy Hunter runs the website Have I Been Pwned (HIBP) which users can use to check if there email or password has been compromised in a breach. You can simply visit this site and enter your email address to receive a free report on whether your email has been involved in a previous breach.
Troy Hunt commented that: “As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.”
“140M email addresses in this breach that HIBP has never seen before. The data was also in broad circulation based on the number of people that contacted me privately about it and the fact that it was published to a well-known public forum”
Jake Moore cyber security expert at ESET UK commented in an told Computer Business Review that: “There has never been a better time to change your password. It is quite a feat not to have had an email address, or other personal information breached over the last decade. If you’re one of those people who think it won’t happen to you, and then it probably already has.”
“Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps, And if you’re questioning the security of a password manager, well they are incredibly safer to use than reusing the same three passwords for all your sites.”